Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Detroit
1982
© Taptas.com, „On the Line“
“Inspection does not improve quality.
Nor guarantee quality. Inspection is too
late.
W. Edwards Deming
Out of the Crisis
1...
1990s
Waterfall-Native
2000s
Agile
2015
DevOps-Native
1 COMPANIES DON’T WRITE;
2
3 SOFTWARE ANYMORE;
They
manufacture it…
#devops
#continuous
#software-supply-chain
Utilizing billions
of parts from
open source
communities... 80% to 90% of modern apps
consist of assembled components.
“The Japanese auto manufacturer buys
80% of his stamping requirements from
contract metal stampers. The reverse
is true in...
THE BEST ARE BORROWING FROM DEMING
MAKING INVISIBLE THINGS VISIBLE
16,766,704
3,000
organizations
25,000
applications
Say Hello to Your Software Supply Chain…
FEASTING ON A MASSIVE SUPPLY
1,000 new projects per day
10,000 new versions per day
14x releases per year
THE SOFTWARE SUPPLY CHAIN INDEX
Open Source Component Download
Requests, The Central Repository,
2008 - 2016
• 385,000 packages
• 1.6 billion downloads per week
• 1 million requests/hour
• 5.9 million total users
NOT ALL PARTS ARE CREATED
EQUAL
2014 2015 2016
5.5%6.1%6.2%
229,898
downloads
orders
5,275
components - all versions
parts
2,071
components
suppliers
Analysis of
3,000
organization
s
229,898
downloads
Analysis of
3,000
organization
s
17,206
7.48% known security
vulnerabilities
Warehouses Manufacturers Finished Goods
6.1%
component downloads are
vulnerable
5.6%
components in repository managers
are...
SOURCING PRACTICES ARE IMPROVING
2010
25,000
Year
ACTIVE NEXUS REPOSITORY
INSTANCES
2011 2012 2013 2014 2015 2016
50,000
7...
INSPECTION PRACTICES ARE IMPROVING
2010
25,000
Year
NEXUS REPOSITORY
2011 2012 2013 2014 2015 2016
50,000
75,000
100,000
1...
NEWER COMPONENTS MAKE BETTER
SOFTWAREAnalysis of components in 25,000 applications scans
COMPONENTS BY YEAR
DEFECT DENSITY...
OLDER COMPONENTS DIE OFFAnalysis of components in 25,000 applications scans
INACTIVE PROJECTS
(% on latest version)
1 2 3 ...
8 years later, vulnerable
versions of Bouncy Castle
were downloaded…
5.8M times
CVE-2007-6721
CVSS Base Score: 10.0
HIGH
I...
“Governance processes that
depend on manual inspection
are guaranteed to fail.”
Diego Lo Giudice
DevOps Analyst, Forrester...
“Quality comes not from inspection,
but from improvement of the
production process.”
W. Edwards Deming
Out of the Crisis
1...
PRACTICES ARE GAINING TRACTION
Elegant Procurement Trio
Ingredients
Anything sold must provide a Bill of Materials of 3rd
Party and Open Source Component...
DevOps-native
teams automate
and manufacture
software from gold
standard parts…
$7.42M
Estimated cost to
remediate 10% of
defects across 2000
applications.
www.sonatype.com/calculator
AUTOMATE AUTOMATE AUTOMATE
“Improvement of the process includes
better allocation of the human effort.”
W. Edwards Deming
Out of the Crisis
1982
ZTTR (Zero Time to Remediation)
EMPOWER DEVELOPERS FROM THE START
@weekstweets
1
DESIGN A FRICTIONLESS APPROACH
@sonatype
2
CREATE A SOFTWARE BILL OF MATERIALS
bit.ly/softwareBOM
@sonatype
3
CASE STUDY: Global Insurer
from
10 to 4
from
4 to 1
use software
bill of materials
CASE STUDY: Global Insurer
Developers are 30% more productive.
Get the
report
today.
weeks@sonatype.com
Software Supply Chain - DevOps Days Charlotte 2017
Software Supply Chain - DevOps Days Charlotte 2017
Software Supply Chain - DevOps Days Charlotte 2017
Software Supply Chain - DevOps Days Charlotte 2017
Upcoming SlideShare
Loading in …5
×

Software Supply Chain - DevOps Days Charlotte 2017

44 views

Published on

Software Supply Chain - DevOps Days Charlotte 2017

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Software Supply Chain - DevOps Days Charlotte 2017

  1. 1. Detroit 1982 © Taptas.com, „On the Line“
  2. 2. “Inspection does not improve quality. Nor guarantee quality. Inspection is too late. W. Edwards Deming Out of the Crisis 1982 2
  3. 3. 1990s Waterfall-Native 2000s Agile 2015 DevOps-Native
  4. 4. 1 COMPANIES DON’T WRITE; 2 3 SOFTWARE ANYMORE;
  5. 5. They manufacture it… #devops #continuous #software-supply-chain
  6. 6. Utilizing billions of parts from open source communities... 80% to 90% of modern apps consist of assembled components.
  7. 7. “The Japanese auto manufacturer buys 80% of his stamping requirements from contract metal stampers. The reverse is true in the U.S.” W. Edwards Deming Out of the Crisis 1982
  8. 8. THE BEST ARE BORROWING FROM DEMING
  9. 9. MAKING INVISIBLE THINGS VISIBLE
  10. 10. 16,766,704
  11. 11. 3,000 organizations 25,000 applications
  12. 12. Say Hello to Your Software Supply Chain…
  13. 13. FEASTING ON A MASSIVE SUPPLY
  14. 14. 1,000 new projects per day 10,000 new versions per day 14x releases per year
  15. 15. THE SOFTWARE SUPPLY CHAIN INDEX Open Source Component Download Requests, The Central Repository, 2008 - 2016
  16. 16. • 385,000 packages • 1.6 billion downloads per week • 1 million requests/hour • 5.9 million total users
  17. 17. NOT ALL PARTS ARE CREATED EQUAL
  18. 18. 2014 2015 2016 5.5%6.1%6.2%
  19. 19. 229,898 downloads orders 5,275 components - all versions parts 2,071 components suppliers Analysis of 3,000 organization s
  20. 20. 229,898 downloads Analysis of 3,000 organization s 17,206 7.48% known security vulnerabilities
  21. 21. Warehouses Manufacturers Finished Goods 6.1% component downloads are vulnerable 5.6% components in repository managers are vulnerable 6.8% components in applications are vulnerable
  22. 22. SOURCING PRACTICES ARE IMPROVING 2010 25,000 Year ACTIVE NEXUS REPOSITORY INSTANCES 2011 2012 2013 2014 2015 2016 50,000 75,000 100,000 125,000 2017
  23. 23. INSPECTION PRACTICES ARE IMPROVING 2010 25,000 Year NEXUS REPOSITORY 2011 2012 2013 2014 2015 2016 50,000 75,000 100,000 125,000 2017 NEXUS REPOSITORY w/ REPOSITORY HEALTH CHECK REPOSITORIES SCANNED w/ REPOSITORY HEALTH CHECK
  24. 24. NEWER COMPONENTS MAKE BETTER SOFTWAREAnalysis of components in 25,000 applications scans COMPONENTS BY YEAR DEFECT DENSITY 1 2 3 4 5 6 7 8 9 10 11 5% 10% 15% 20% 25% Component Age in Years 3X HIGHER DEFECT DENSITY
  25. 25. OLDER COMPONENTS DIE OFFAnalysis of components in 25,000 applications scans INACTIVE PROJECTS (% on latest version) 1 2 3 4 5 6 7 8 9 10 11 5% 10% 15% 20% 25% Component Age in Years
  26. 26. 8 years later, vulnerable versions of Bouncy Castle were downloaded… 5.8M times CVE-2007-6721 CVSS Base Score: 10.0 HIGH Impact Subscore: 10.0 Exploitability Subscore: 10.0 2007 2015 USE THE HIGHEST QUALITY PARTS
  27. 27. “Governance processes that depend on manual inspection are guaranteed to fail.” Diego Lo Giudice DevOps Analyst, Forrester November 2016 31
  28. 28. “Quality comes not from inspection, but from improvement of the production process.” W. Edwards Deming Out of the Crisis 1982
  29. 29. PRACTICES ARE GAINING TRACTION
  30. 30. Elegant Procurement Trio Ingredients Anything sold must provide a Bill of Materials of 3rd Party and Open Source Components Hygiene & Avoidable Risk Cannot use known vulnerable components Remediation Must be patchable/updateable
  31. 31. DevOps-native teams automate and manufacture software from gold standard parts…
  32. 32. $7.42M Estimated cost to remediate 10% of defects across 2000 applications. www.sonatype.com/calculator
  33. 33. AUTOMATE AUTOMATE AUTOMATE
  34. 34. “Improvement of the process includes better allocation of the human effort.” W. Edwards Deming Out of the Crisis 1982
  35. 35. ZTTR (Zero Time to Remediation) EMPOWER DEVELOPERS FROM THE START @weekstweets 1
  36. 36. DESIGN A FRICTIONLESS APPROACH @sonatype 2
  37. 37. CREATE A SOFTWARE BILL OF MATERIALS bit.ly/softwareBOM @sonatype 3
  38. 38. CASE STUDY: Global Insurer from 10 to 4 from 4 to 1 use software bill of materials
  39. 39. CASE STUDY: Global Insurer Developers are 30% more productive.
  40. 40. Get the report today. weeks@sonatype.com

×